Openvpn

some general things to secure openvpn

tls-auth

to get extra security use a preshared tls-auth key.
this key is generated at server-side and published to all clients...
do NOT create a new key at client-side! this won't work!

create the key (server):

openvpn --genkey --secret ta.key

activate the key at server-side:

tls-auth ta.key 0
tls-server

be sure to use parameter '0' (zero) at server-side
now copy the ta.key to the client using a secure connection
and add this to the config:

tls-auth ta.key 1
tls-client

be sure to use parameter '1' (one) at client-side

dh (Diffie hellman parameters)

this will be created seperatly for server and clients.
create the file with:

openssl dhparam -out dh1024.pem 1024

or, if you wand to use 2048-bit key

openssl dhparam -out dh2048.pem 2048

and add it to you config-file (same for server and client):

dh dh1024.pem

or

dh dh2048.pem

client-config-dir

asuming that you added

client-config-dir ccd

to your config at server-side, add the following:

route 10.10.0.252 255.255.255.252

this adds the apropriate routes to the server to route the
rage 10.10.0.252-10.10.0.255 through the tunnel-interface...

now create a file inside the ccd directory named like the CN of the signed cert.
so if the CN of the cert is CN=openVPN_Good.Boy then create the file ccd/openVPN_Good.Boy
now add the 2 ip's out of the middle of the range:

ifconfig-push 10.10.0.253 10.10.0.254

the client now gets the ip: 10.8.0.253 with a P-t-P/Peer-Address of 10.8.0.254
you can add additional routes here to push to that client only:

push "route 10.255.0.0 255.255.192.0"

this will set a route at client-side to route the range
10.255.0.0-10.255.63.255 through the tunnel interface...